su

Synopsis

su [-] [username [arg...]]

Description

The su command allows one to become another user without logging off
or to assume a role. The default user name is root (superuser).

To use su, the appropriate password must be supplied (unless the invoker
is already root). If the password is correct, su creates a new
shell process that has the real and effective user ID, group IDs,
and supplementary group list set to those of the specified username. Additionally, the
new shell's project ID is set to the default project ID of
the specified user. See getprojent(3PROJECT), setproject(3PROJECT). The new shell will be the
shell specified in the shell field of username's password file entry (see
passwd(4)). If no shell is specified, /usr/bin/sh is used (see sh(1)). If
superuser privilege is requested and the shell for the superuser cannot be
invoked using exec(2), /sbin/sh is used as a fallback. To return to
normal user ID privileges, type an EOF character (CTRL-D) to exit the
new shell.

Any additional arguments given on the command line are passed to the
new shell. When using programs such as sh, an arg of the
form -cstring executes string using the shell and an arg of -r
gives the user a restricted shell.

To create a login environment, the command “su –” does the following:

In addition to what is already propagated, the LC* and LANG environment variables from the specified user's environment are also propagated.

Propagate TZ from the user's environment. If TZ is not found in the user's environment, su uses the TZ value from the TIMEZONE parameter found in /etc/default/login.

Set MAIL to /var/mail/new_user.

If the first argument to su is a dash (-), the environment
will be changed to what would be expected if the user actually
logged in as the specified user. Otherwise, the environment is passed along,
with the exception of $PATH, which is controlled by PATH and SUPATH
in /etc/default/su.

All attempts to become another user using su are logged in the
log file /var/adm/sulog (see sulog(4)).

Security

su uses pam(3PAM) with the service name su for authentication, account management,
and credential establishment.

Environment Variables

If any of the LC_* variables ( LC_CTYPE, LC_MESSAGES, LC_TIME, LC_COLLATE, LC_NUMERIC,
and LC_MONETARY) (see environ(5)) are not set in the environment, the operational
behavior of su for each corresponding locale category is determined by the
value of the LANG environment variable. If LC_ALL is set, its contents are
used to override both the LANG and the other LC_* variables. If
none of the above variables are set in the environment, the “C”
(U.S. style) locale determines how su behaves.

LC_CTYPE

Determines how su handles characters. When LC_CTYPE is set to a valid value, su can display and handle text and filenames containing valid characters for that locale. su can display and handle Extended Unix Code (EUC) characters where any individual character can be 1, 2, or 3 bytes wide. su can also handle EUC characters of 1, 2, or more column widths. In the “C” locale, only characters from ISO 8859-1 are valid.

LC_MESSAGES

Determines how diagnostic and informative messages are presented. This includes the language and style of the messages, and the correct form of affirmative and negative responses. In the “C” locale, the messages are presented in the default form found in the program itself (in most cases, U.S. English).

Files

$HOME/.profile

user's login commands for sh and ksh

/etc/passwd

system's password file

/etc/profile

system-wide sh and ksh login commands

/var/adm/sulog

log file

/etc/default/su

the default parameters in this file are:

SULOG

If defined, all attempts to su to another user are logged in the indicated file.

CONSOLE

If defined, all attempts to su to root are logged on the console.

PATH

Default path. (/usr/bin:)

SUPATH

Default path for a user invoking su to root. (/usr/sbin:/usr/bin)

SYSLOG

Determines whether the syslog(3C)LOG_AUTH facility should be used to log all su attempts. LOG_NOTICE messages are generated for su's to root, LOG_INFO messages are generated for su's to other users, and LOG_CRIT messages are generated for failed su attempts.

/etc/default/login

the default parameters in this file are:

SLEEPTIME

If present, sets the number of seconds to wait before login failure is printed to the screen and another login attempt is allowed. Default is 4 seconds. Minimum is 0 seconds. Maximum is 5 seconds.